Discovery and mapping of containerized software applications

ABSTRACT

An example system includes a database disposed within a remote network management platform that manages a managed network, where one or more worker nodes are configured to execute containerized software applications on behalf of the managed network. The system also includes a computing device configured to request and receive configuration data identifying the applications; access traffic data generated by packet detection modules disposed amongst the one or more worker nodes and configured to (i) monitor network traffic between the applications and (ii) generate and store the traffic data which is indicative of the monitored network traffic; parse the traffic data for one or more patterns indicative of communicative relationships between the applications; based on the one or more patterns being present in the traffic data, generate mappings between the applications that have communicative relationships therebetween; and store, in the database, the configuration data and the mappings.

BACKGROUND

Management of a network may involve gathering information regarding the configuration and operational aspects of the network. The configuration and operational aspects may include the distribution and availability of software applications across computing devices within the network. Service mapping is a set of operations through which a remote network management platform or other entity can discover and logically organize representations of these computing devices and software applications, and also represent the relationships therebetween.

Traditionally, each software application is configured to be executed by a particular computing device within the network, and depends on a computing environment provided thereby. However, containerized software applications may be dynamically distributed across multiple computing devices over time. Containerized software applications might not persist on the same computing device for as long as the traditionally-executed software applications. Service mapping is thus made more difficult by the ephemeral nature of containerized software applications.

SUMMARY

Service mapping creates and maintains maps of computing resources and their dependencies to facilitate analysis of service impacts, help locate outages, and identify other potential issues in a managed network. Among other components, the maps include computing devices, software applications executing thereon, and the dependencies existing therebetween. Conventionally, each software application is developed to be executed in the context of an operating system and computing environment provided by a particular computing device or group thereof. Each software application therefore persists on its corresponding computing device for a prolonged period of time. Service mapping can thus operate with the assumption that once a software application has been detected on a given computing device, it is likely to remain there and its execution is likely to be dependent on successful operation of this computing device.

The process of discovering the different resources available within a managed network may therefore be carried out relatively infrequently (e.g., once daily, weekly, or monthly). Additionally, due to the persistence of conventional software applications on their respective computing devices, the discovery process may uncover software applications regardless of whether they are being executed or not (e.g., by identifying an executable file of the software application on the computing device).

However, the increasing popularity of executing software applications in containers calls for a different approach to service mapping than the conventional paradigm of software application execution. A container is a stand-alone executable package of a software application that includes components needed to run the software application, including the software application's code, runtime, system tools, system libraries, and settings, among other components. The container allows the software application to run consistently in different operation environments. Execution of containerized software applications is often facilitated by a container orchestration system such as, for example, KUBERNETES®, which groups containers into units called pods.

Pods may be distributed across the available computing resources in a computing cluster to provide a desired number of copies of a software application or its different components. A software application may be scaled up to meet increasing demand therefor by increasing the number of pods in which copies of the software application are being executed, or it may be scaled down by terminating some of the pods. A master node may automatically manage the distribution of pods across the available computing resources. Pods may be destroyed as computing resources experience outages, and may responsively be replaced by other pods on other available computing resources. Thus, the distribution of software applications across the available computing resources in a computing cluster may be highly variable over time. Additionally, replacement pods may be assigned different IP addresses and different identifiers, thus making them difficult to track over time. This is contrary to the conventional paradigm in which software applications are tied to the computing devices on which they execute and the identifiers associated therewith. In some cases, the rate at which pods are terminated and replaced may be greater than the rate of at which software is discovered and mapped using conventional service mapping practices, especially for large-scale software product or services.

Accordingly, the service mapping process for containerized software applications should be modified to account for the ephemeral nature of containerized software applications. Detection of changes in the distribution of containerized software applications across computing resources of a computing cluster may be facilitated by including, on each computing resource (e.g., each worker node) in the computing cluster, a packet detection module that monitors network traffic received and transmitted by the pods executing thereon. The identities (e.g., names or other identifiers) of the software applications or modules corresponding to each of the monitored IP addresses may be determined based on configuration data provided by the master node, which may track the distribution of pods, containers, and software applications amongst the computing resources in the cluster. Thus, by using traffic data generated by the packet detection modules in combination with the configuration data provided by the master node, the distribution and communicative relationships among the containerized software applications executing on the computing cluster may be determined.

Notably, the communicative relationships might not be known without monitoring the network traffic when the software applications being executed on the cluster are developed and maintained by a third party that does not provide access to the software applications' source code. Additionally, even if potential communicative relationships might be known based on the source code, the actual communicative relationships established during execution might be different. A particular enterprise, for example, might invoke only a portion of the software applications of software product. Further, containerization allows multiple copies of the same software application to be executed in multiple pods. Thus, the potential connections associated with a given software application could actually be instantiated multiple times, and each time a different subset of the possible connections might actually be established. Absent monitoring of the network traffic and configuration data, the actual connections that exist at runtime might not be accurately predictable.

Accordingly, the packet detection modules may generate and store traffic data indicative of the monitored network traffic. In some cases, the packet detection modules may filter the monitored network traffic and store only a subset thereof. For example, only transmission control protocol (TCP) SYN packets, indicating initiation of new connections, may be identified by the traffic data. However, in some cases, the packet detection modules may be configured to generate and store additional traffic data, such as traffic data identifying the amount of data transmitted between different pods, containers, and/or software applications.

A computing device may be configured to request and receive the traffic data and the configuration data. The traffic data may be parsed for patterns indicative of communicative relationships between software applications, containers, pods, or other components of the container orchestration system. Specifically, the computing device may parse the traffic data to identify traffic between two or more pods identified by the configuration data. Since the number and distribution of pods may change over time, the computing device may also verify that any traffic exchanged between two addresses corresponding to two different pods was, in fact, exchanged at a time when the addresses were assigned to the two pods, rather than other pods existing at an earlier or later time. The computing device may generate mappings between pods that have communicative relationships.

The mappings may be stored by the computing device in a database. A graph may be used to represent the mappings, with each node of the graph representing a pod and each link of the graph representing a communicative relationship. Each node of the graph may also include sub-nodes representing containers, software applications, or software processes that make up the software applications. Additionally, multiple nodes may be grouped into super-nodes that represent the computing resources within the computing cluster, with each computing resource potentially executing multiple pods thereon. The graph may be displayable on a graphical user interface of a computing device to visualize the distribution of the containerized software applications across the computing resources of the computing cluster.

Accordingly, a first example embodiment may involve requesting and receiving, from one or more worker nodes and by a computing device disposed within a remote network management platform that manages a managed network, configuration data identifying containerized software applications executing on the one or more worker nodes on behalf of the managed network. The managed network obtains service from a computing cluster that includes the one or more worker nodes. The first example embodiment may also involve accessing, by the computing device, traffic data generated by packet detection modules disposed amongst the one or more worker nodes. The packet detection modules are configured to (i) monitor network traffic between the containerized software applications and (ii) generate and store the traffic data. The traffic data is indicative of the monitored network traffic. The first example embodiment may additionally involve parsing, by the computing device, the traffic data for one or more patterns indicative of communicative relationships between the containerized software applications identified by the configuration data. The first embodiment may further involve, based on the one or more patterns being present in the traffic data, generating, by the computing device, mappings between the containerized software applications that have communicative relationships therebetween. The first embodiment may yet further involve storing, in a database disposed within the remote network management platform and by the computing device, the configuration data and the mappings.

In a second example embodiment, an article of manufacture may include a non-transitory computer-readable medium, having stored thereon program instructions that, upon execution by a computing system, cause the computing system to perform operations in accordance with the first example embodiment.

In a third example embodiment, a computing system may include at least one processor, as well as memory and program instructions. The program instructions may be stored in the memory, and upon execution by the at least one processor, cause the computing system to perform operations in accordance with the first example embodiment.

In a fourth example embodiment, a system may include various means for carrying out each of the operations of the first example embodiment.

In a fifth embodiment, a system may include a database disposed within a remote network management platform that manages a managed network. The managed network obtains service from a computing cluster that includes one or more worker nodes. The one or more worker nodes are configured to execute containerized software applications on behalf of the managed network. The system may also include a computing device disposed within the remote network management platform and configured to request and receive, from the one or more worker nodes, configuration data identifying the containerized software applications. The computing device may also be configured to access traffic data generated by packet detection modules disposed amongst the one or more worker nodes. The packet detection modules are configured to (i) monitor network traffic between the containerized software applications and (ii) generate and store the traffic data. The traffic data is indicative of the monitored network traffic. The computing device is additionally configured to parse the traffic data for one or more patterns indicative of communicative relationships between the containerized software applications and, based on the one or more patterns being present in the traffic data, generate mappings between the containerized software applications that have communicative relationships therebetween. The computing device is further configured to store, in the database, the configuration data and the mappings.

These as well as other embodiments, aspects, advantages, and alternatives will become apparent to those of ordinary skill in the art by reading the following detailed description, with reference where appropriate to the accompanying drawings. Further, this summary and other descriptions and figures provided herein are intended to illustrate embodiments by way of example only and, as such, that numerous variations are possible. For instance, structural elements and process steps can be rearranged, combined, distributed, eliminated, or otherwise changed, while remaining within the scope of the embodiments as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a schematic drawing of a computing device, in accordance with example embodiments.

FIG. 2 illustrates a schematic drawing of a server device cluster, in accordance with example embodiments.

FIG. 3 depicts a remote network management architecture, in accordance with example embodiments.

FIG. 4 depicts a communication environment involving a remote network management architecture, in accordance with example embodiments.

FIG. 5A depicts another communication environment involving a remote network management architecture, in accordance with example embodiments.

FIG. 5B is a flow chart, in accordance with example embodiments.

FIG. 6 depicts an architecture for executing containerized software applications, in accordance with example embodiments.

FIG. 7 depicts a distribution of packet detection modules, in accordance with example embodiments.

FIGS. 8A, 8B, 8C, and 8D depict message diagrams related to deployment of containerized software applications, in accordance with example embodiments.

FIGS. 9A and 9B depict a graphical user interface displaying a mapping of containerized software applications, in accordance with example embodiments.

FIG. 10 is a flow chart, in accordance with example embodiments.

DETAILED DESCRIPTION

Example methods, devices, and systems are described herein. It should be understood that the words “example” and “exemplary” are used herein to mean “serving as an example, instance, or illustration.” Any embodiment or feature described herein as being an “example” or “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments or features unless stated as such. Thus, other embodiments can be utilized and other changes can be made without departing from the scope of the subject matter presented herein.

Accordingly, the example embodiments described herein are not meant to be limiting. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations. For example, the separation of features into “client” and “server” components may occur in a number of ways.

Further, unless context suggests otherwise, the features illustrated in each of the figures may be used in combination with one another. Thus, the figures should be generally viewed as component aspects of one or more overall embodiments, with the understanding that not all illustrated features are necessary for each embodiment.

Additionally, any enumeration of elements, blocks, or steps in this specification or the claims is for purposes of clarity. Thus, such enumeration should not be interpreted to require or imply that these elements, blocks, or steps adhere to a particular arrangement or are carried out in a particular order.

I. Introduction

A large enterprise is a complex entity with many interrelated operations. Some of these are found across the enterprise, such as human resources (HR), supply chain, information technology (IT), and finance. However, each enterprise also has its own unique operations that provide essential capabilities and/or create competitive advantages.

To support widely-implemented operations, enterprises typically use off-the-shelf software applications, such as customer relationship management (CRM) and human capital management (HCM) packages. However, they may also need custom software applications to meet their own unique requirements. A large enterprise often has dozens or hundreds of these custom software applications. Nonetheless, the advantages provided by the embodiments herein are not limited to large enterprises and may be applicable to an enterprise, or any other type of organization, of any size.

Many such software applications are developed by individual departments within the enterprise. These range from simple spreadsheets to custom-built software tools and databases. But the proliferation of siloed custom software applications has numerous disadvantages. It negatively impacts an enterprise's ability to run and grow its operations, innovate, and meet regulatory requirements. The enterprise may find it difficult to integrate, streamline and enhance its operations due to lack of a single system that unifies its subsystems and data.

To efficiently create custom applications, enterprises would benefit from a remotely-hosted application platform that eliminates unnecessary development complexity. The goal of such a platform would be to reduce time-consuming, repetitive application development tasks so that software engineers and individuals in other roles can focus on developing unique, high-value features.

In order to achieve this goal, the concept of Application Platform as a Service (aPaaS) is introduced, to intelligently automate workflows throughout the enterprise. An aPaaS system is hosted remotely from the enterprise, but may access data, applications, and services within the enterprise by way of secure connections. Such an aPaaS system may have a number of advantageous capabilities and characteristics. These advantages and characteristics may be able to improve the enterprise's operations and workflow for IT, HR, CRM, customer service, application development, and security.

The aPaaS system may support development and execution of model-view-controller (MVC) applications. MVC applications divide their functionality into three interconnected parts (model, view, and controller) in order to isolate representations of information from the manner in which the information is presented to the user, thereby allowing for efficient code reuse and parallel development. These applications may be web-based, and offer create, read, update, delete (CRUD) capabilities. This allows new applications to be built on a common application infrastructure.

The aPaaS system may support standardized application components, such as a standardized set of widgets for graphical user interface (GUI) development. In this way, applications built using the aPaaS system have a common look and feel. Other software components and modules may be standardized as well. In some cases, this look and feel can be branded or skinned with an enterprise's custom logos and/or color schemes.

The aPaaS system may support the ability to configure the behavior of applications using metadata. This allows application behaviors to be rapidly adapted to meet specific needs. Such an approach reduces development time and increases flexibility. Further, the aPaaS system may support GUI tools that facilitate metadata creation and management, thus reducing errors in the metadata.

The aPaaS system may support clearly-defined interfaces between applications, so that software developers can avoid unwanted inter-application dependencies. Thus, the aPaaS system may implement a service layer in which persistent state information and other data is stored.

The aPaaS system may support a rich set of integration features so that the applications thereon can interact with legacy applications and third-party applications. For instance, the aPaaS system may support a custom employee-onboarding system that integrates with legacy HR, IT, and accounting systems.

The aPaaS system may support enterprise-grade security. Furthermore, since the aPaaS system may be remotely hosted, it should also utilize security procedures when it interacts with systems in the enterprise or third-party networks and services hosted outside of the enterprise. For example, the aPaaS system may be configured to share data amongst the enterprise and other parties to detect and identify common security threats.

Other features, functionality, and advantages of an aPaaS system may exist. This description is for purpose of example and is not intended to be limiting.

As an example of the aPaaS development process, a software developer may be tasked to create a new application using the aPaaS system. First, the developer may define the data model, which specifies the types of data that the application uses and the relationships therebetween. Then, via a GUI of the aPaaS system, the developer enters (e.g., uploads) the data model. The aPaaS system automatically creates all of the corresponding database tables, fields, and relationships, which can then be accessed via an object-oriented services layer.

In addition, the aPaaS system can also build a fully-functional MVC application with client-side interfaces and server-side CRUD logic. This generated application may serve as the basis of further development for the user. Advantageously, the developer does not have to spend a large amount of time on basic application functionality. Further, since the application may be web-based, it can be accessed from any Internet-enabled client device. Alternatively or additionally, a local copy of the application may be able to be accessed, for instance, when Internet service is not available.

The aPaaS system may also support a rich set of pre-defined functionality that can be added to applications. These features include support for searching, email, templating, workflow design, reporting, analytics, social media, scripting, mobile-friendly output, and customized GUIs.

The following embodiments describe architectural and functional aspects of example aPaaS systems, as well as the features and advantages thereof.

II. Example Computing Devices and Cloud-Based Computing Environments

FIG. 1 is a simplified block diagram exemplifying a computing device 100, illustrating some of the components that could be included in a computing device arranged to operate in accordance with the embodiments herein. Computing device 100 could be a client device (e.g., a device actively operated by a user), a server device (e.g., a device that provides computational services to client devices), or some other type of computational platform. Some server devices may operate as client devices from time to time in order to perform particular operations, and some client devices may incorporate server features.

In this example, computing device 100 includes processor 102, memory 104, network interface 106, and an input/output unit 108, all of which may be coupled by a system bus 110 or a similar mechanism. In some embodiments, computing device 100 may include other components and/or peripheral devices (e.g., detachable storage, printers, and so on).

Processor 102 may be one or more of any type of computer processing element, such as a central processing unit (CPU), a co-processor (e.g., a mathematics, graphics, or encryption co-processor), a digital signal processor (DSP), a network processor, and/or a form of integrated circuit or controller that performs processor operations. In some cases, processor 102 may be one or more single-core processors. In other cases, processor 102 may be one or more multi-core processors with multiple independent processing units. Processor 102 may also include register memory for temporarily storing instructions being executed and related data, as well as cache memory for temporarily storing recently-used instructions and data.

Memory 104 may be any form of computer-usable memory, including but not limited to random access memory (RAM), read-only memory (ROM), and non-volatile memory (e.g., flash memory, hard disk drives, solid state drives, compact discs (CDs), digital video discs (DVDs), and/or tape storage). Thus, memory 104 represents both main memory units, as well as long-term storage. Other types of memory may include biological memory.

Memory 104 may store program instructions and/or data on which program instructions may operate. By way of example, memory 104 may store these program instructions on a non-transitory, computer-readable medium, such that the instructions are executable by processor 102 to carry out any of the methods, processes, or operations disclosed in this specification or the accompanying drawings.

As shown in FIG. 1, memory 104 may include firmware 104A, kernel 104B, and/or applications 104C. Firmware 104A may be program code used to boot or otherwise initiate some or all of computing device 100. Kernel 104B may be an operating system, including modules for memory management, scheduling and management of processes, input/output, and communication. Kernel 104B may also include device drivers that allow the operating system to communicate with the hardware modules (e.g., memory units, networking interfaces, ports, and busses), of computing device 100. Applications 104C may be one or more user-space software programs, such as web browsers or email clients, as well as any software libraries used by these programs. Memory 104 may also store data used by these and other programs and applications.

Network interface 106 may take the form of one or more wireline interfaces, such as Ethernet (e.g., Fast Ethernet, Gigabit Ethernet, and so on). Network interface 106 may also support communication over one or more non-Ethernet media, such as coaxial cables or power lines, or over wide-area media, such as Synchronous Optical Networking (SONET) or digital subscriber line (DSL) technologies. Network interface 106 may additionally take the form of one or more wireless interfaces, such as IEEE 802.11 (Wifi), BLUETOOTH®, global positioning system (GPS), or a wide-area wireless interface. However, other forms of physical layer interfaces and other types of standard or proprietary communication protocols may be used over network interface 106. Furthermore, network interface 106 may comprise multiple physical interfaces. For instance, some embodiments of computing device 100 may include Ethernet, BLUETOOTH®, and Wifi interfaces.

Input/output unit 108 may facilitate user and peripheral device interaction with example computing device 100. Input/output unit 108 may include one or more types of input devices, such as a keyboard, a mouse, a touch screen, and so on. Similarly, input/output unit 108 may include one or more types of output devices, such as a screen, monitor, printer, and/or one or more light emitting diodes (LEDs). Additionally or alternatively, computing device 100 may communicate with other devices using a universal serial bus (USB) or high-definition multimedia interface (HDMI) port interface, for example.

In some embodiments, one or more instances of computing device 100 may be deployed to support an aPaaS architecture. The exact physical location, connectivity, and configuration of these computing devices may be unknown and/or unimportant to client devices. Accordingly, the computing devices may be referred to as “cloud-based” devices that may be housed at various remote data center locations.

FIG. 2 depicts a cloud-based server cluster 200 in accordance with example embodiments. In FIG. 2, operations of a computing device (e.g., computing device 100) may be distributed between server devices 202, data storage 204, and routers 206, all of which may be connected by local cluster network 208. The number of server devices 202, data storages 204, and routers 206 in server cluster 200 may depend on the computing task(s) and/or applications assigned to server cluster 200.

For example, server devices 202 can be configured to perform various computing tasks of computing device 100. Thus, computing tasks can be distributed among one or more of server devices 202. To the extent that these computing tasks can be performed in parallel, such a distribution of tasks may reduce the total time to complete these tasks and return a result. For purpose of simplicity, both server cluster 200 and individual server devices 202 may be referred to as a “server device.” This nomenclature should be understood to imply that one or more distinct server devices, data storage devices, and cluster routers may be involved in server device operations.

Data storage 204 may be data storage arrays that include drive array controllers configured to manage read and write access to groups of hard disk drives and/or solid state drives. The drive array controllers, alone or in conjunction with server devices 202, may also be configured to manage backup or redundant copies of the data stored in data storage 204 to protect against drive failures or other types of failures that prevent one or more of server devices 202 from accessing units of cluster data storage 204. Other types of memory aside from drives may be used.

Routers 206 may include networking equipment configured to provide internal and external communications for server cluster 200. For example, routers 206 may include one or more packet-switching and/or routing devices (including switches and/or gateways) configured to provide (i) network communications between server devices 202 and data storage 204 via cluster network 208, and/or (ii) network communications between the server cluster 200 and other devices via communication link 210 to network 212.

Additionally, the configuration of cluster routers 206 can be based at least in part on the data communication requirements of server devices 202 and data storage 204, the latency and throughput of the local cluster network 208, the latency, throughput, and cost of communication link 210, and/or other factors that may contribute to the cost, speed, fault-tolerance, resiliency, efficiency and/or other design goals of the system architecture.

As a possible example, data storage 204 may include any form of database, such as a structured query language (SQL) database. Various types of data structures may store the information in such a database, including but not limited to tables, arrays, lists, trees, and tuples. Furthermore, any databases in data storage 204 may be monolithic or distributed across multiple physical devices.

Server devices 202 may be configured to transmit data to and receive data from cluster data storage 204. This transmission and retrieval may take the form of SQL queries or other types of database queries, and the output of such queries, respectively. Additional text, images, video, and/or audio may be included as well. Furthermore, server devices 202 may organize the received data into web page representations. Such a representation may take the form of a markup language, such as the hypertext markup language (HTML), the extensible markup language (XML), or some other standardized or proprietary format. Moreover, server devices 202 may have the capability of executing various types of computerized scripting languages, such as but not limited to Perl, Python, PHP Hypertext Preprocessor (PHP), Active Server Pages (ASP), JavaScript, and so on. Computer program code written in these languages may facilitate the providing of web pages to client devices, as well as client device interaction with the web pages.

III. Example Remote Network Management Architecture

FIG. 3 depicts a remote network management architecture, in accordance with example embodiments. This architecture includes three main components, managed network 300, remote network management platform 320, and third-party networks 340, all connected by way of Internet 350.

Managed network 300 may be, for example, an enterprise network used by an entity for computing and communications tasks, as well as storage of data. Thus, managed network 300 may include various client devices 302, server devices 304, routers 306, virtual machines 308, firewall 310, and/or proxy servers 312. Client devices 302 may be embodied by computing device 100, server devices 304 may be embodied by computing device 100 or server cluster 200, and routers 306 may be any type of router, switch, or gateway.

Virtual machines 308 may be embodied by one or more of computing device 100 or server cluster 200. In general, a virtual machine is an emulation of a computing system, and mimics the functionality (e.g., processor, memory, and communication resources) of a physical computer. One physical computing system, such as server cluster 200, may support up to thousands of individual virtual machines. In some embodiments, virtual machines 308 may be managed by a centralized server device or application that facilitates allocation of physical computing resources to individual virtual machines, as well as performance and error reporting. Enterprises often employ virtual machines in order to allocate computing resources in an efficient, as needed fashion. Providers of virtualized computing systems include VMWARE® and MICROSOFT®.

Firewall 310 may be one or more specialized routers or server devices that protect managed network 300 from unauthorized attempts to access the devices, applications, and services therein, while allowing authorized communication that is initiated from managed network 300. Firewall 310 may also provide intrusion detection, web filtering, virus scanning, application-layer gateways, and other applications or services. In some embodiments not shown in FIG. 3, managed network 300 may include one or more virtual private network (VPN) gateways with which it communicates with remote network management platform 320 (see below).

Managed network 300 may also include one or more proxy servers 312. An embodiment of proxy servers 312 may be a server device that facilitates communication and movement of data between managed network 300, remote network management platform 320, and third-party networks 340. In particular, proxy servers 312 may be able to establish and maintain secure communication sessions with one or more computational instances of remote network management platform 320. By way of such a session, remote network management platform 320 may be able to discover and manage aspects of the architecture and configuration of managed network 300 and its components. Possibly with the assistance of proxy servers 312, remote network management platform 320 may also be able to discover and manage aspects of third-party networks 340 that are used by managed network 300.

Firewalls, such as firewall 310, typically deny all communication sessions that are incoming by way of Internet 350, unless such a session was ultimately initiated from behind the firewall (i.e., from a device on managed network 300) or the firewall has been explicitly configured to support the session. By placing proxy servers 312 behind firewall 310 (e.g., within managed network 300 and protected by firewall 310), proxy servers 312 may be able to initiate these communication sessions through firewall 310. Thus, firewall 310 might not have to be specifically configured to support incoming sessions from remote network management platform 320, thereby avoiding potential security risks to managed network 300.

In some cases, managed network 300 may consist of a few devices and a small number of networks. In other deployments, managed network 300 may span multiple physical locations and include hundreds of networks and hundreds of thousands of devices. Thus, the architecture depicted in FIG. 3 is capable of scaling up or down by orders of magnitude.

Furthermore, depending on the size, architecture, and connectivity of managed network 300, a varying number of proxy servers 312 may be deployed therein. For example, each one of proxy servers 312 may be responsible for communicating with remote network management platform 320 regarding a portion of managed network 300. Alternatively or additionally, sets of two or more proxy servers may be assigned to such a portion of managed network 300 for purposes of load balancing, redundancy, and/or high availability.

Remote network management platform 320 is a hosted environment that provides aPaaS services to users, particularly to the operators of managed network 300. These services may take the form of web-based portals, for instance. Thus, a user can securely access remote network management platform 320 from, for instance, client devices 302, or potentially from a client device outside of managed network 300. By way of the web-based portals, users may design, test, and deploy applications, generate reports, view analytics, and perform other tasks.

As shown in FIG. 3, remote network management platform 320 includes four computational instances 322, 324, 326, and 328. Each of these instances may represent a set of web portals, services, and applications (e.g., a wholly-functioning aPaaS system) available to a particular customer. In some cases, a single customer may use multiple computational instances. For example, managed network 300 may be an enterprise customer of remote network management platform 320, and may use computational instances 322, 324, and 326. The reason for providing multiple instances to one customer is that the customer may wish to independently develop, test, and deploy its applications and services. Thus, computational instance 322 may be dedicated to application development related to managed network 300, computational instance 324 may be dedicated to testing these applications, and computational instance 326 may be dedicated to the live operation of tested applications and services. A computational instance may also be referred to as a hosted instance, a remote instance, a customer instance, or by some other designation.

The multi-instance architecture of remote network management platform 320 is in contrast to conventional multi-tenant architectures, over which multi-instance architectures have several advantages. In multi-tenant architectures, data from different customers (e.g., enterprises) are comingled in a single database. While these customers' data are separate from one another, the separation is enforced by the software that operates the single database. As a consequence, a security breach in this system may impact all customers' data, creating additional risk, especially for entities subject to governmental, healthcare, and/or financial regulation. Furthermore, any database operations that impact one customer will likely impact all customers sharing that database. Thus, if there is an outage due to hardware or software errors, this outage affects all such customers. Likewise, if the database is to be upgraded to meet the needs of one customer, it will be unavailable to all customers during the upgrade process. Often, such maintenance windows will be long, due to the size of the shared database.

In contrast, the multi-instance architecture provides each customer with its own database in a dedicated computing instance. This prevents comingling of customer data, and allows each instance to be independently managed. For example, when one customer's instance experiences an outage due to errors or an upgrade, other computational instances are not impacted. Maintenance down time is limited because the database only contains one customer's data. Further, the simpler design of the multi-instance architecture allows redundant copies of each customer database and instance to be deployed in a geographically diverse fashion. This facilitates high availability, where the live version of the customer's instance can be moved when faults are detected or maintenance is being performed.

In order to support multiple computational instances in an efficient fashion, remote network management platform 320 may implement a plurality of these instances on a single hardware platform. For example, when the aPaaS system is implemented on a server cluster such as server cluster 200, it may operate a virtual machine that dedicates varying amounts of computational, storage, and communication resources to instances. But full virtualization of server cluster 200 might not be necessary, and other mechanisms may be used to separate instances. In some examples, each instance may have a dedicated account and one or more dedicated databases on server cluster 200. Alternatively, computational instance 322 may span multiple physical devices.

In some cases, a single server cluster of remote network management platform 320 may support multiple independent enterprises. Furthermore, as described below, remote network management platform 320 may include multiple server clusters deployed in geographically diverse data centers in order to facilitate load balancing, redundancy, and/or high availability.

Third-party networks 340 may be remote server devices (e.g., a plurality of server clusters such as server cluster 200) that can be used for outsourced computational, data storage, communication, and service hosting operations. These servers may be virtualized (i.e., the servers may be virtual machines). Examples of third-party networks 340 may include AMAZON WEB SERVICES® and MICROSOFT® Azure. Like remote network management platform 320, multiple server clusters supporting third-party networks 340 may be deployed at geographically diverse locations for purposes of load balancing, redundancy, and/or high availability.

Managed network 300 may use one or more of third-party networks 340 to deploy applications and services to its clients and customers. For instance, if managed network 300 provides online music streaming services, third-party networks 340 may store the music files and provide web interface and streaming capabilities. In this way, the enterprise of managed network 300 does not have to build and maintain its own servers for these operations.

Remote network management platform 320 may include modules that integrate with third-party networks 340 to expose virtual machines and managed services therein to managed network 300. The modules may allow users to request virtual resources and provide flexible reporting for third-party networks 340. In order to establish this functionality, a user from managed network 300 might first establish an account with third-party networks 340, and request a set of associated resources. Then, the user may enter the account information into the appropriate modules of remote network management platform 320. These modules may then automatically discover the manageable resources in the account, and also provide reports related to usage, performance, and billing.

Internet 350 may represent a portion of the global Internet. However, Internet 350 may alternatively represent a different type of network, such as a private wide-area or local-area packet-switched network.

FIG. 4 further illustrates the communication environment between managed network 300 and computational instance 322, and introduces additional features and alternative embodiments. In FIG. 4, computational instance 322 is replicated across data centers 400A and 400B. These data centers may be geographically distant from one another, perhaps in different cities or different countries. Each data center includes support equipment that facilitates communication with managed network 300, as well as remote users.

In data center 400A, network traffic to and from external devices flows either through VPN gateway 402A or firewall 404A. VPN gateway 402A may be peered with VPN gateway 412 of managed network 300 by way of a security protocol such as Internet Protocol Security (IPSEC) or Transport Layer Security (TLS). Firewall 404A may be configured to allow access from authorized users, such as user 414 and remote user 416, and to deny access to unauthorized users. By way of firewall 404A, these users may access computational instance 322, and possibly other computational instances. Load balancer 406A may be used to distribute traffic amongst one or more physical or virtual server devices that host computational instance 322. Load balancer 406A may simplify user access by hiding the internal configuration of data center 400A, (e.g., computational instance 322) from client devices. For instance, if computational instance 322 includes multiple physical or virtual computing devices that share access to multiple databases, load balancer 406A may distribute network traffic and processing tasks across these computing devices and databases so that no one computing device or database is significantly busier than the others. In some embodiments, computational instance 322 may include VPN gateway 402A, firewall 404A, and load balancer 406A.

Data center 400B may include its own versions of the components in data center 400A. Thus, VPN gateway 402B, firewall 404B, and load balancer 406B may perform the same or similar operations as VPN gateway 402A, firewall 404A, and load balancer 406A, respectively. Further, by way of real-time or near-real-time database replication and/or other operations, computational instance 322 may exist simultaneously in data centers 400A and 400B.

Data centers 400A and 400B as shown in FIG. 4 may facilitate redundancy and high availability. In the configuration of FIG. 4, data center 400A is active and data center 400B is passive. Thus, data center 400A is serving all traffic to and from managed network 300, while the version of computational instance 322 in data center 400B is being updated in near-real-time. Other configurations, such as one in which both data centers are active, may be supported.

Should data center 400A fail in some fashion or otherwise become unavailable to users, data center 400B can take over as the active data center. For example, domain name system (DNS) servers that associate a domain name of computational instance 322 with one or more Internet Protocol (IP) addresses of data center 400A may re-associate the domain name with one or more IP addresses of data center 400B. After this re-association completes (which may take less than one second or several seconds), users may access computational instance 322 by way of data center 400B.

FIG. 4 also illustrates a possible configuration of managed network 300. As noted above, proxy servers 312 and user 414 may access computational instance 322 through firewall 310. Proxy servers 312 may also access configuration items 410. In FIG. 4, configuration items 410 may refer to any or all of client devices 302, server devices 304, routers 306, and virtual machines 308, any applications or services executing thereon, as well as relationships between devices, applications, and services. Thus, the term “configuration items” may be shorthand for any physical or virtual device, or any application or service remotely discoverable or managed by computational instance 322, or relationships between discovered devices, applications, and services. Configuration items may be represented in a configuration management database (CMDB) of computational instance 322.

As noted above, VPN gateway 412 may provide a dedicated VPN to VPN gateway 402A. Such a VPN may be helpful when there is a significant amount of traffic between managed network 300 and computational instance 322, or security policies otherwise suggest or require use of a VPN between these sites. In some embodiments, any device in managed network 300 and/or computational instance 322 that directly communicates via the VPN is assigned a public IP address. Other devices in managed network 300 and/or computational instance 322 may be assigned private IP addresses (e.g., IP addresses selected from the 10.0.0.0-10.255.255.255 or 192.168.0.0-192.168.255.255 ranges, represented in shorthand as subnets 10.0.0.0/8 and 192.168.0.0/16, respectively).

IV. Example Device, Application, and Service Discovery

In order for remote network management platform 320 to administer the devices, applications, and services of managed network 300, remote network management platform 320 may first determine what devices are present in managed network 300, the configurations and operational statuses of these devices, and the applications and services provided by the devices, and well as the relationships between discovered devices, applications, and services. As noted above, each device, application, service, and relationship may be referred to as a configuration item. The process of defining configuration items within managed network 300 is referred to as discovery, and may be facilitated at least in part by proxy servers 312.

For purpose of the embodiments herein, an “application” may refer to one or more processes, threads, programs, client modules, server modules, or any other software that executes on a device or group of devices. A “service” may refer to a high-level capability provided by multiple applications executing on one or more devices working in conjunction with one another. For example, a high-level web service may involve multiple web application server threads executing on one device and accessing information from a database application that executes on another device.

FIG. 5A provides a logical depiction of how configuration items can be discovered, as well as how information related to discovered configuration items can be stored. For sake of simplicity, remote network management platform 320, third-party networks 340, and Internet 350 are not shown.

In FIG. 5A, CMDB 500 and task list 502 are stored within computational instance 322. Computational instance 322 may transmit discovery commands to proxy servers 312. In response, proxy servers 312 may transmit probes to various devices, applications, and services in managed network 300. These devices, applications, and services may transmit responses to proxy servers 312, and proxy servers 312 may then provide information regarding discovered configuration items to CMDB 500 for storage therein. Configuration items stored in CMDB 500 represent the environment of managed network 300.

Task list 502 represents a list of activities that proxy servers 312 are to perform on behalf of computational instance 322. As discovery takes place, task list 502 is populated. Proxy servers 312 repeatedly query task list 502, obtain the next task therein, and perform this task until task list 502 is empty or another stopping condition has been reached.

To facilitate discovery, proxy servers 312 may be configured with information regarding one or more subnets in managed network 300 that are reachable by way of proxy servers 312. For instance, proxy servers 312 may be given the IP address range 192.168.0/24 as a subnet. Then, computational instance 322 may store this information in CMDB 500 and place tasks in task list 502 for discovery of devices at each of these addresses.

FIG. 5A also depicts devices, applications, and services in managed network 300 as configuration items 504, 506, 508, 510, and 512. As noted above, these configuration items represent a set of physical and/or virtual devices (e.g., client devices, server devices, routers, or virtual machines), applications executing thereon (e.g., web servers, email servers, databases, or storage arrays), relationships therebetween, as well as services that involve multiple individual configuration items.

Placing the tasks in task list 502 may trigger or otherwise cause proxy servers 312 to begin discovery. Alternatively or additionally, discovery may be manually triggered or automatically triggered based on triggering events (e.g., discovery may automatically begin once per day at a particular time).

In general, discovery may proceed in four logical phases: scanning, classification, identification, and exploration. Each phase of discovery involves various types of probe messages being transmitted by proxy servers 312 to one or more devices in managed network 300. The responses to these probes may be received and processed by proxy servers 312, and representations thereof may be transmitted to CMDB 500. Thus, each phase can result in more configuration items being discovered and stored in CMDB 500.

In the scanning phase, proxy servers 312 may probe each IP address in the specified range of IP addresses for open Transmission Control Protocol (TCP) and/or User Datagram Protocol (UDP) ports to determine the general type of device. The presence of such open ports at an IP address may indicate that a particular application is operating on the device that is assigned the IP address, which in turn may identify the operating system used by the device. For example, if TCP port 135 is open, then the device is likely executing a WINDOWS® operating system. Similarly, if TCP port 22 is open, then the device is likely executing a UNIX® operating system, such as LINUX®. If UDP port 161 is open, then the device may be able to be further identified through the Simple Network Management Protocol (SNMP). Other possibilities exist. Once the presence of a device at a particular IP address and its open ports have been discovered, these configuration items are saved in CMDB 500.

In the classification phase, proxy servers 312 may further probe each discovered device to determine the version of its operating system. The probes used for a particular device are based on information gathered about the devices during the scanning phase. For example, if a device is found with TCP port 22 open, a set of UNIX®-specific probes may be used. Likewise, if a device is found with TCP port 135 open, a set of WINDOWS®-specific probes may be used. For either case, an appropriate set of tasks may be placed in task list 502 for proxy servers 312 to carry out. These tasks may result in proxy servers 312 logging on, or otherwise accessing information from the particular device. For instance, if TCP port 22 is open, proxy servers 312 may be instructed to initiate a Secure Shell (SSH) connection to the particular device and obtain information about the operating system thereon from particular locations in the file system. Based on this information, the operating system may be determined. As an example, a UNIX® device with TCP port 22 open may be classified as AIX®, HPUX, LINUX®, MACOS®, or SOLARIS®. This classification information may be stored as one or more configuration items in CMDB 500.

In the identification phase, proxy servers 312 may determine specific details about a classified device. The probes used during this phase may be based on information gathered about the particular devices during the classification phase. For example, if a device was classified as LINUX®, a set of LINUX®-specific probes may be used. Likewise if a device was classified as WINDOWS® 2012, as a set of WINDOWS®-2012-specific probes may be used. As was the case for the classification phase, an appropriate set of tasks may be placed in task list 502 for proxy servers 312 to carry out. These tasks may result in proxy servers 312 reading information from the particular device, such as basic input/output system (BIOS) information, serial numbers, network interface information, media access control address(es) assigned to these network interface(s), IP address(es) used by the particular device and so on. This identification information may be stored as one or more configuration items in CMDB 500.

In the exploration phase, proxy servers 312 may determine further details about the operational state of a classified device. The probes used during this phase may be based on information gathered about the particular devices during the classification phase and/or the identification phase. Again, an appropriate set of tasks may be placed in task list 502 for proxy servers 312 to carry out. These tasks may result in proxy servers 312 reading additional information from the particular device, such as processor information, memory information, lists of running processes (applications), and so on. Once more, the discovered information may be stored as one or more configuration items in CMDB 500.

Running discovery on a network device, such as a router, may utilize SNMP. Instead of or in addition to determining a list of running processes or other application-related information, discovery may determine additional subnets known to the router and the operational state of the router's network interfaces (e.g., active, inactive, queue length, number of packets dropped, etc.). The IP addresses of the additional subnets may be candidates for further discovery procedures. Thus, discovery may progress iteratively or recursively.

Once discovery completes, a snapshot representation of each discovered device, application, and service is available in CMDB 500. For example, after discovery, operating system version, hardware configuration and network configuration details for client devices, server devices, and routers in managed network 300, as well as applications executing thereon, may be stored. This collected information may be presented to a user in various ways to allow the user to view the hardware composition and operational status of devices, as well as the characteristics of services that span multiple devices and applications.

Furthermore, CMDB 500 may include entries regarding dependencies and relationships between configuration items. More specifically, an application that is executing on a particular server device, as well as the services that rely on this application, may be represented as such in CMDB 500. For instance, suppose that a database application is executing on a server device, and that this database application is used by a new employee onboarding service as well as a payroll service. Thus, if the server device is taken out of operation for maintenance, it is clear that the employee onboarding service and payroll service will be impacted. Likewise, the dependencies and relationships between configuration items may be able to represent the services impacted when a particular router fails.

In general, dependencies and relationships between configuration items be displayed on a web-based interface and represented in a hierarchical fashion. Thus, adding, changing, or removing such dependencies and relationships may be accomplished by way of this interface.

Furthermore, users from managed network 300 may develop workflows that allow certain coordinated activities to take place across multiple discovered devices. For instance, an IT workflow might allow the user to change the common administrator password to all discovered LINUX® devices in single operation.

In order for discovery to take place in the manner described above, proxy servers 312, CMDB 500, and/or one or more credential stores may be configured with credentials for one or more of the devices to be discovered. Credentials may include any type of information needed in order to access the devices. These may include userid/password pairs, certificates, and so on. In some embodiments, these credentials may be stored in encrypted fields of CMDB 500. Proxy servers 312 may contain the decryption key for the credentials so that proxy servers 312 can use these credentials to log on to or otherwise access devices being discovered.

The discovery process is depicted as a flow chart in FIG. 5B. At block 520, the task list in the computational instance is populated, for instance, with a range of IP addresses. At block 522, the scanning phase takes place. Thus, the proxy servers probe the IP addresses for devices using these IP addresses, and attempt to determine the operating systems that are executing on these devices. At block 524, the classification phase takes place. The proxy servers attempt to determine the operating system version of the discovered devices. At block 526, the identification phase takes place. The proxy servers attempt to determine the hardware and/or software configuration of the discovered devices. At block 528, the exploration phase takes place. The proxy servers attempt to determine the operational state and applications executing on the discovered devices. At block 530, further editing of the configuration items representing the discovered devices and applications may take place. This editing may be automated and/or manual in nature.

The blocks represented in FIG. 5B are for purpose of example. Discovery may be a highly configurable procedure that can have more or fewer phases, and the operations of each phase may vary. In some cases, one or more phases may be customized, or may otherwise deviate from the exemplary descriptions above.

V. Example Platform for Containerized Software Applications

A containerized software application may be a software application configured to be executed in a container. A container, in turn, is a software package that includes an entire runtime environment needed to execute a given software application. The container may thus include therein the code (e.g., binary code) that defines the software application, libraries utilized by the software application, and configuration files utilized by the software application, among other elements needed for execution of the software application. As a result, the containerized software application can be executed on a wide variety of operating systems and underlying infrastructures independently of the computing environment provided thereby. Application containerization may, in some cases, be referred to as operating system virtualization. Application containerization may allow for the existence of multiple distinct and isolated user-spaces on a single machine (e.g., physical machine or virtual machine). Thus, an application executing within a container may see only its own container's resources, but not the resources of other containers.

FIG. 6 illustrates an example platform for managing and executing containerized software applications. Computing cluster 604 may include master node 606 and a plurality of worker nodes, including worker nodes 614A and 614B. Worker nodes 614A and 614B may host software application(s) 624A and 624B, respectively. Software application(s) 624A and 624B may be stand-alone software applications or components of a larger software product. Software application(s) 624A and 624B may each represent distinct software modules. In some cases, however, software application(s) 624A and 624B may also include copies or duplicates of the same software application (e.g., to provide redundancy or handle a given traffic load to the software product).

Software application(s) 624A and 624B may be executable within corresponding container(s) 622A and 622B, respectively. Generally, each of container(s) 622A and 622B may be configured to execute a single software application of software application(s) 624A and 624B. However, in some cases, some of container(s) 622A and 622B may also be configured to execute therein multiple software applications of software application(s) 624A and 624B.

Container(s) 622A and 622B may be organized into pod(s) 620A and 620B, respectively. Each of pod(s) 620A and 620B may include therein one or more containers. Containers in a pod may share storage space, an internet protocol (IP) address (i.e., each pod may be assigned a distinct IP address), IP port space, and operating system namespace, among other shared resources. Pod(s) 620A and 620B may be, for example, KUBERNETES® pods, DOCKER SWARM® tasks, MESOS® pods, or KONTENA® stacks, among other possibilities. Pod(s) 620A and 620B may thus be building blocks of a container orchestration engine that facilitates management and execution of software applications in containers. The specific implementations of pod(s) 620A and 620B may vary depending on the specific implementation of the container orchestration engine. Container(s) 622A and 622B may be, for example, DOCKER® containers or COREOS® rkt containers, among other possibilities.

Worker nodes 614A and 614B may include proxies 616A and 616B (e.g., “Kube-proxies” in KUBERNETES® terminology), respectively, via which remote user(s) 602 may be able to access software application(s) 624A and 624B, respectively. Proxies 616A and 616B may be configured to proxy user datagram protocol (UDP) and transmission control protocol (TCP) traffic and provide load balancing to worker nodes 614A and 614B, respectively, among other operations. In some implementations, a group of pods may be organized into a service which defines a policy by which to access the group of pods. Each service may be assigned a stable virtual IP address that is exposed outside of computing cluster 604. Proxies 616A and 616B may be configured to access the service into which the group of pods is organized, rather than accessing the pods directly. Thus, software application(s) 624A and 624B may be accessible regardless of changes in the number of pods, changes in the IP addresses of pods, or changes in the distribution of pods among worker nodes 614A and 614B.

Cluster 604 may also include master node 606 configured to manage the number, distribution, and scheduling of pods, containers, and/or software applications amongst the plurality of worker nodes (e.g., worker nodes 614A and 614B) within computing cluster 604. Developer/Operator 600 (e.g., developer or operator of software applications 624A and 624B) may be able to communicate with master node 606 by way of application programming interface (API) 608. API 608 may allow developer/operator 600 to specify a desired number of copies of software application(s) 624A and/or 624B (i.e., a deployment configuration) to be executed by computing cluster 604 (e.g., to provide a desired quality of service), and to roll out updates to software applications 624A and/or 624B, among other tasks. API 608 may also allow developer/operator 600 to manage other aspects of computing cluster 604, such as various options and settings affecting execution of software application(s) 624A and 624B.

API 608 may be configured to communicate with node agents 618A and 618B (e.g., “Kubelets” in KUBERNETES® terminology) on worker nodes 614A and 614B to monitor and control execution of pod(s) 620A and 620B, container(s) 622A and 622B, and/or software application(s) 624A and 624B on worker nodes 614A and 614B, respectively. API 608 may, for example, be configured to communicate with node agents 618A and 618B to initiate execution of containerized software applications 624A and 624B in pod(s) 620A and 620B, respectively, monitor pod(s) 620A and 620B to detect any execution errors, and replace one or more of pod(s) 620A and 620B in response to termination of the one or more of pod(s) 620A and 620B, among other operations. Scheduler and controller manager 610 may be configured to determine the scheduling and distribution of software application(s) 624A and 624B, container 622A and 622B, and pods 620A and 620B among the plurality of worker nodes in computing cluster 604.

The deployment configuration specified by developer/operator 600 may be stored in database 612 along with other information that maintains the operational state of computing cluster 604. Database 612 may be implemented as a distributed key-value store (e.g., etcd cluster).

The architecture illustrated in FIG. 6 may provide a self-healing mechanism that automatically addresses failure or termination of nodes, pods, containers, and software applications and facilitates ongoing maintenance thereof. Whenever a copy or instance of a software application becomes unavailable due to an unexpected failure or planned termination of the software application, container, pod, or worker node, (or for any other reason) scheduler and controller manager 610 may automatically replace the unavailable copy of the software application with a replacement copy to maintain the desired deployment configuration. Although the replacement may provide the same functionality as the unavailable copy of the software application, the replacement copy might be executed on a different worker node, in a different pod, and/or in a different container, resulting in the replacement copy having different identifying information associated therewith (e.g., different IP address, different TCP or UDP port, different name, etc.).

Each copy of the software application may thus have a finite or ephemeral lifecycle, resulting in a periodically-changing distribution of software applications across computing cluster 604. This periodically-changing distribution may make conventional discovery and service mapping techniques, which may rely on applications consistently executing on the same physical or virtual machines, unsuitable to this environment.

VI. Example Architecture for Mapping of Ephemeral Software Applications

FIG. 7 illustrates an example system for discovery and mapping of ephemeral software applications executing on a platform for hosting containerized software applications. Specifically, FIG. 7 illustrates remote network management platform 320, managed network 300, and computing cluster 604 in a communicative relationship. Computing cluster 604 may be configured to execute containerized software applications 624A and 624B on behalf of managed network 300. As discussed with respect to FIG. 6, software application(s) 624A and 624B may be executed in container(s) 622A and 622B, respectively, which may in turn be organized into pod(s) 620A and 620B, respectively. Notably, computing cluster 604 may be part of a third-party computing system different from managed network 300 or remote network management platform 320. Nevertheless, in some implementations, computing cluster 604 may form part of managed network 300 or remote network management platform 320 and may be collocated therewith.

In order to map the distribution of software application(s) 624A and 624B, container(s) 620A and 620B, and/or pod(s) 620A and 620B across the worker nodes (e.g., worker nodes 612A and 612B) available in computing cluster 604, each worker node may include thereon a corresponding packet detection module. Thus, worker node 612A may include thereon packet detection module 700A and worker node 612B may include thereon packet detection module 700B. Notably, worker nodes 612A and 612B illustrated in FIG. 7 may additionally include thereon the components shown and discussed with respect to FIG. 6, as well as other components of a container orchestration system not shown herein.

Packet detection modules 700A and 700B may be configured to monitor network traffic between the containerized software applications executing on computing cluster 604. Thus, packet detection modules 700A and 700B may also be referred to as “traffic sniffers.” In some implementations, a packet detection module may be included within each of pod(s) 620A and 620B and may monitor network traffic at the pod level rather than at the worker node level. Packet detection modules 700A and 700B may be configured to monitor the network traffic, including TCP and UDP traffic, at a network interface module of worker nodes 612A and 612B, respectively. Packet detection modules 700A and 700B may be able to disambiguate worker nodes 612A and 612B, pod(s) 620A and 620B, and container(s) 622A and 622B based on IP addresses and TCP or UDP ports assigned to applications using these IP addresses. API 608 may be used to access a list of these IP addresses and active ports per IP address, which may be tracked by master node 606.

Packet detection modules 700A and 700B may also be configured to generate and store traffic data representing the monitored network traffic. In some implementations, the traffic data may include a log of all network traffic experienced by the network interface modules of worker nodes 612A and 612B. Alternatively, packet detection modules 700A and 700B may apply a filter to the monitored network traffic. That is, packet detection modules 700A and 700B may be configured to monitor all network traffic, but might store within the traffic data only a portion of the monitored network traffic that meets certain criteria.

Packet detection modules 700A and 700B may, for example, store only traffic data representing TCP SYN packets exchanged between the plurality of worker nodes and the pods, or containers thereon. By tracking only TCP SYN packets, packet detection modules 700A and 700B may generate traffic data that identifies communicative relationships between the different components of computing cluster 604 while avoiding generation of excess traffic data that provides only redundant information (e.g., data exchanged over TCP connections established in response to the TCP SYN packets).

The data stored by packet detection modules 700A and 700B may include, for example, the source IP address, destination IP address, source TCP port, and destination TCP port of each of the TCP SYN packets. In this way, the source IP address, possibly in combination with the source TCP port, can be used to identify the initiating application of the connection. Likewise, the destination IP address, possibly in combination with the destination TCP port, can be used to identify the receiving application of the connection. The detection of a TCP SYN packet transmitted from a particular source to a particular destination is indicative of a relationship between the software applications identified by the respective IP addresses and/or port numbers. The strength of this relationship may be estimated by the number of such TCP SYN packets detected over a unit of time (e.g., a one minute, one hour, one day, etc.).

A relationship's strength may vary over time based on network usage patterns. Thus, for an application with usage that follows a daily cycle, the strength of the relationship as reflected by the detected packets may increase in the morning, hold relatively steady in the afternoon, and then decrease in the evening. Also, this mechanism allows stale relationships (relationships that were previously valid but are no longer valid) to be timed out. For instance, if packets indicative of a particular relationship are not detected for a period of time (e.g., an hour, six hours, a day, etc.), this relationship may be considered to be no longer in operation and any visually representation thereof may be removed from the service mapping display.

Packet detection modules 700A and 700B may nevertheless also store traffic data indicative of the extent of data transmitted (i.e., the throughput) between software application(s) 624A and 624B, container(s) 622A and 622B, pod(s) 620A and 620B, and worker nodes 612A and 612B to quantify the strength or intensity of the communicative relationships therebetween. That is, the traffic data may be used not only to determine, for example, that two pods are configured to communicate with one another, but also to determine how extensively (e.g., in terms of frequency and/or amount of data) the two pods communicate. The extent of data transmitted may be determined by packet detection modules 700A and 700B by counting the detected bytes of the connection between the two pods, or determining this value by comparing the sequence number of the TCP SYN packet that initiated the connection with the sequence number of a TCP FIN packet that terminates the connection.

The mapping of the distribution of software application(s) 624A and 624B, container(s) 620A and 620B, and/or pod(s) 620A and 620B across the worker nodes (e.g., worker nodes 612A and 612B) available in computing cluster 604 may be further facilitated by configuration data provided by API 608. Database 612 of master node 606 may store the configuration data representing a current arrangement of worker nodes, pods, containers, and software applications within computing cluster 604. The configuration data may additionally identify other components of the container orchestration engine (e.g., KUBERNETES®) operating on computing cluster 604, including volumes (i.e., persistent storage within a pod), overlay networks, daemon sets, resource sets, cron jobs, and processes that make up a given software application, among other components. API 608 may provide a mechanism for accessing this data by way of a computing device within managed network 300, a computing device within remote network management platform 320, or a computing device within computing cluster 604, among other possibilities. API 608 might not, however, provide data indicative of the communicative relationships between the worker nodes, pods, containers, software applications, and/or other components of the container orchestration engine executing on computing cluster 604.

The configuration data may be used in combination with the traffic data generated by packet detection modules 700A and 700B to generate mappings between containerized software applications that have communicative relationships therebetween. Specifically, the traffic data may be parsed for patterns indicative of communicative relationships between the containerized software applications identified by the configuration data. The traffic data may also be used to identify communicative relationships between other components of the container orchestration engine that have been identified by the configuration data. Without the configuration data provided by API 608, the identities of the modules using the different IP addresses between which network traffic is monitored might not be known.

Notably, since a containerized software application (e.g., software application(s) 624A and 624B) may be ephemeral, the IP address of the pod in which it is executing, as well as the container in which it is executing, may change as the containerized software application is redistributed across different pods or worker nodes. Thus, the traffic data alone might be insufficient to keep track of the distribution of containerized software applications since the identities of the software applications assigned particular addresses are unknown from the traffic data alone. The configuration data may allow for identification of the containerized software applications corresponding to the different IP addresses and ports thereof among which network traffic is exchanged over time. The combination of traffic data and configuration data may thus allow for identification of the resources in computing cluster 604 (using the configuration data) as well as the communicative relationships therebetween (using the traffic data).

Parsing the traffic data for patterns indicative of communicative relationships between the containerized software applications may involve determining that a first containerized software application identified by the configuration data has requested to establish a connection, has established a connection, or is exchanging data with a second containerized software application identified by the configuration data. Additionally, parsing the traffic data for patterns may involve determining that one or more packets of a given type are exchanged between addresses corresponding to the first and second containerized software applications at a time when the first and second containerized software applications are assigned these addresses. That is, the parsing process may verify that the addresses were in fact used to exchange data between the first and second applications, rather than some other applications assigned the same addresses at an earlier or later point in time. To that end, the configuration data as well as the traffic data may be timestamped to facilitate such verification.

When one or more patterns indicative of communicative relationships between the containerized software applications are identified, mappings may be generated between the containerized software applications that have communicative relationships therebetween. The mappings may be stored in a database (e.g., stored by computational instance 322 in database 702) along with the configuration data. For example, the mappings may be stored as configuration items in CMDB 500 (thus, database 702 and CMDB 500 may be the same database or different databases). The mappings may also be expressed as a graph, with each node of the graph representing a containerized software application and each link between the nodes representing a communicative relationship. To that end, the database may store therein a definition of the graph.

The mapping operations described above may be carried out by, for example, a computing device within managed network 300, a computing device within remote network management platform 320, a computing device within computing cluster 604, or a combination thereof, among other possibilities. For example, computing cluster 604 may be configured to execute containerized applications on behalf of managed network 300 while computational instance 322 within remote network management platform 320 may be configured to monitor the distribution of software applications, containers, pods, and worker nodes within computing cluster 604 on behalf of managed network 300. Computational instance 322 may also be configured to, based on the monitoring, provide a way to access and visualize the monitored distribution, thereby allowing users of managed network 300 to better understand how computing cluster 604 operates.

Additionally, the computing device may be configured to periodically repeat the operations described above to track a history of changes in the distribution of resources in computing cluster 604. Specifically, the computing device may be configured to periodically access the configuration data via API 608 and access the traffic data from packet detection modules 700A and 700B to keep track of the distribution and communicative relationships between software application(s) 624A and 624B, container(s) 622A and 622B, pod(s) 620A and 620B, and worker nodes 612A and 612B over time.

VII. Example Operations for Mapping of Ephemeral Software Applications

FIG. 8A illustrates an example deployment process for containerized software applications. Developer/operator 600 may specify a desired deployment of containerized software applications. For example, developer/operator 600 may specify that computing cluster 604 should execute one pod with containerized software application 800, two pods with containerized software application 802, and one pod with containerized software application 804. For example, containerized software application 800 may be a user-facing front-end of a web-based application, while containerized software applications 802 and 804 may be back-ends that provide some of the functionality (e.g., image processing, mathematical calculations, database management, etc.) exposed via front-end software application 800.

Software application 802 may take longer to run, may perform a more computationally-intensive task, and/or may be invoked more frequently than software applications 800 or 804. Thus, two pods are allocated for software application 802, while only one pod is allocated for each of software applications 800 and 804. However, other factors may also drive the number of pods allocated to a given software application. In some cases, the number of pods for each application may be automatically scaled based on demand.

In response to receiving this indication of the desired number of pods for each of containerized software applications 800, 802, and 804, master node 606 may be configured to determine a distribution of the desired number of pods across worker nodes 612A, 612B, 612C, and 612D and provide instructions thereto to initiate execution of the desired number of pods. Thus, master node 606 may instruct (i) worker node 612A to execute on pod 806 containerized software application 800, (ii) worker node 612B to execute on pod 808A containerized software application 802, (iii) worker node 612D to execute on pod 808B containerized software application 802, (iv) and worker node 612C to execute on pod 810 containerized software application 804. The distribution may be based on, for example, the amount of computational resources available on each of worker nodes 612A, 612B, 612C, and 612D and the amount of computational resources expected to be utilized by each of the pods, among other factors.

Once software applications 800, 802, and 804 are deployed in pods 806, 808A, 808B, and 810, the software applications may be configured to receive traffic from and provide service to remote user(s) 602, as illustrated in FIG. 8B. For example, a first user of remote user(s) 602 may transmit a first request to the web service made up of application 800, 802, and 804. The first request may be handled by front-end software application 800 executing in pod 806. Pod 806 may, in response, transmit a second request to software application 802 executing in pod 808A. In response to receiving the second request, software application 802 executing in pod 808A may process the second request and provide a corresponding response 812 (e.g., a processed image, a confirmation of a successful database modification, etc.). Notably, the second request could alternatively be transmitted to pod 808B, as described below, which is also configured to execute software application 802. Requests to software application 802 may thus be load balanced between pods 808A and 808B.

Pod 806 may also transmit a third request to software application 804 executing in pod 810. In response to the third request, software application 804 executing in pod 810 may process the request and provide a corresponding response 814. Software application 800 may then provide response 816 to the first user, which may be based on responses 812 and 814.

The network traffic between the first user, pod 806, pod 808A, and pod 810 may be monitored by packet detection modules disposed on worker nodes 612A, 612B, and 612C to generate and store traffic data indicative of communicative relationships between software applications 800, 802, and 804, their containers, pods, and/or worker nodes. Each transmission may be timestamped to allow for monitoring of the communicative relationships over time. The communicative relationships between pods 806, 808A, 808B, and 810 (and therefore applications 800, 802, and 804) may thus be determine based on data acquired during execution thereof, without reliance on prior knowledge of the structure and relationships between software application 800, 802, and 804. Notably, additional monitoring of network traffic may be needed to uncover any communicative relationships of pod 808B with pods 806, 808A, 810.

Thus, second user of remote user(s) 602 may transmit a fourth request to the web service made up of application 800, 802, and 804, which may be handled by front-end software application 800 executing in pod 806. Pod 806 may, in response, transmit a fifth request to software application 802 executing in pod 808B. Notably, this time the request from pod 806 to application 802 may be load balanced to pod 808B rather than 808A. In response to receiving the fifth request, software application 802 executing in pod 808B may process the fifth request and provide a corresponding response 818. Pod 806 may also transmit a sixth request to software application 804 executing in pod 810. In response to the sixth request, software application 804 executing in pod 810 may process the request and provide a corresponding response 820. Software application 800 may then provide response 822 to the first user, which may be based on responses 818 and 820.

The network traffic between the second user, pod 806, pod 808B, and pod 810 may again be monitored by packet detection modules disposed on worker nodes 612A, 612C, and 612D to generate and store traffic data indicative of communicative relationships. Again, each transmission may be timestamped to allow for monitoring of the communicative relationships over time. The traffic data may be used in combination with configuration data from API 608 to map the distribution and communicative relationships of software applications 800, 802, and 804, any containers therefor, and pods 806, 808A, 808B, and 810 among worker nodes 612A, 612B, 612C, and 612D.

For example, a computing device disposed within managed network 300, within remote network management platform 320, or within computing cluster 604 may request configuration data from API 608. The configuration data may indicate that application 800 is executing in pod 806 on worker node 612A, a first copy of application 802 is executing in pod 808A on worker node 612B, a second copy of application 802 is executing in pod 808B on worker node 612D, and application 804 is executing in pod 810 on worker node 612C. The computing device may also request and receive, from each of the packet detection modules executing on worker nodes 612A, 612B, 612C, and 612D, traffic data corresponding to any connections that have been established between pods 806, 808A, 808B, and 810.

The traffic data may be parsed by the computing device for patterns indicative of communicative relationships between pods 806, 808A, 808B, and 810 (and thus applications 800, 802, and 804 as well as the containers in which these application are executed). The computing device may also generate mappings between any pods (and thus any containers and applications) that have communicative relationships therebetween. The generated mappings may be organized into a graph that can be displayed on a user interface to allow a user to visualize the distribution of software applications 800, 802, and 804 among the nodes of computing cluster 604.

FIG. 9A illustrates graphical user interface 900 that shows the mapping between pods 806, 808A, 808B, and 810. Namely, FIG. 9A shows that requests from remote user(s) 602 are handled by software application 800 executing in pod 806 on worker node 612A. Pod 806, in turn, communicates with software application 802, executing in pods 808A and 808B on worker nodes 612B and 612D, respectively, and with software application 804 executing in pod 810 on worker node 612C. Pods 808A, 808B, and 810 (or the applications therein) do not communicate directly with one another in this example. Such visual mapping of the communicative relationships may be helpful where the structure and relationships of software applications 800, 802, and 804 are not known to the user or entity utilizing the service mapping. For example, the mapping may allow remote network management platform 320 to automatically keep track of the state of any ephemeral containerized software applications executing on behalf of managed network 300 by computing cluster 604 without having prior information (e.g., the source code) about the containerized software application.

User interface 900 may additionally include timeline 902, cursor 904 indicating a time point along the timeline 902 at which the state of computing cluster 604 is shown, and the date and time corresponding to the time point (e.g., Apr. 30, 2018 9:02 AM). Cursor 904 may be repositioned along timeline 902 by interacting with user interface 900 to show the distribution of software applications 800, 802, and 804 across computing cluster 604 at different points in time. In one example, the mapping shown in user interface 900 may be stored in a database by the computing device as a graph, with worker node, pod, and software application represented as nodes or hierarchical sub-nodes, and each communicative relationship represented as a link between corresponding nodes or sub-nodes.

When displayed on user interface 900, the nodes of the graph may be interactive, allowing for the level within the hierarchy represented by each node to be modified. For example, a node representing a pod may be clicked or otherwise selected to view the containerized software applications executing therein. Further, the containerized software applications may be selected to view the different processes that make up the software application.

The distribution of software applications, containers, and pods across worker nodes 612A, 612B, 612C, and 612D may change from time to time as worker nodes, pods, and/or containers terminate their operation due to planned or unplanned causes. The computing device may thus periodically repeat the operations discussed above to identify any new distributions over time.

To that point, FIG. 8C illustrates termination and replacement of a pod. Namely, pod 808B on worker node 612D may terminate. For example, the termination may be scheduled by scheduler and controller manager 610 of master node 606 to allow for reassignment of computing resources. Alternatively, the termination may be caused by an error during execution of pod 808B or software application 802 therein, or by failure of node 612D, among other possible causes. Master node 606 may periodically poll worker node 612D to determine the state of the pods executing thereon. After termination of pod 808B, master node may determine that pod 808B is no longer executing on worker node 612D and, in response, may deploy a replacement pod for software application 802 to one of the other worker nodes in computing cluster 604. FIG. 8C shows master node deploying replacement pod 808C to worker node 612C. In some implementations, master node 606 may identify termination of pod 808B in other ways such as, for example, by receiving a signal from the terminated pod 808B rather than by polling worker node 612D.

In response to receiving instructions from master node 606 to deploy replacement pod 808C, worker node 612C may deploy replacement pod 808C thereon. The service into which software applications 800, 802, and 804 are organized may be updated to reflect that pod 808B has been replaced by pod 808C. Subsequent traffic to the service may thus utilize pod 808C on worker node 612C rather than now-terminated pod 808B on worker node 612D. This change in the distribution of pods across computing cluster 604 may be identified based on the configuration data and additional traffic data generated by packet detection modules disposed on worker nodes 612A, 612B, and 612C.

FIG. 8D illustrates additional traffic to software applications 800, 802, and 804 that allows the updated communicative relationships therebetween to be determined. Namely, an additional seventh request from remote user(s) 602 may be received by front-end software application 800 executing in pod 806. Pod 806 may, in response, transmit an eighth requests to software application 802 by utilizing pod 808A, as shown in the top portion of FIG. 8D. In response, software application 802 executing in pod 808A may process the eighth request and provide a corresponding response 824. Pod 806 may also transmit a ninth request to software application 804 executing in pod 810. In response, software application 804 executing in pod 810 may process the request and provide a corresponding response 826. Software application 800 may then provide response 828 to remote user(s) 602.

A further tenth request from remote user(s) 602 may be received by front-end software application 800 executing in pod 806. Pod 806 may, in response, transmit an eleventh request to software application 802 by utilizing pod 808C, as shown in the bottom portion of FIG. 8D. In response, software application 802 executing in pod 808C may process the eleventh request and provide a corresponding response 830. Pod 806 may also transmit a twelfth request to software application 804 executing in pod 810. In response, software application 804 executing in pod 810 may process the twelfth request and provide a corresponding response 832. Software application 800 may then provide response 834 to remote user(s) 602.

The network traffic monitored after replacement of pod 808B with pod 808C may allow the new communicative relationships between the pods to be updated based on the redistribution of pods across worker nodes 612A, 612B, 612C, and 612D. Namely, the stored traffic data may indicate that pod 806 now accesses pod 808C rather than pod 808B to execute software application 802. The stored traffic data may indicate that pod 808C is hosted by worker node 612C and not by worker node 612D, as was the case for pod 808B. The computing device may again parse the stored traffic data to identify the new communicative relationships. Notably, in some cases, more than two requests from remote user(s) 602 may be needed to completely map out the communicative relationships between the pods. Additionally, the monitored network traffic may include traffic that is not caused by a request from remote user(s) 602. Pods may, for example, communicate with one another to execute various background tasks as part of the operation of the software applications executing therein.

FIG. 9B shows graphical user interface 900 updated to illustrate the communicative relationships amongst components of computing cluster 604 after replacement of pod 808B with pod 808C. Notably, cursor 904 has moved towards the right and the time corresponding thereto (i.e., Apr. 30, 2018 9:15 AM) has been updated to indicate that FIG. 9B shows the state of computing cluster at a later time than FIG. 9A. FIG. 9B illustrates that pod 808B has been replaced with pod 808C which is hosted by worker node 612C. Although not shown in FIGS. 9A and 9B, the communicative relationships may additionally include communicative relationships between pods executing on the same worker node, as well as communicative relationships between pods and other computing devices outside of computing cluster 604. Thus, in some embodiments, FIG. 9B might still show relationship(s) with worker node 612D, but these relationship(s) may be de-emphasized.

VIII. Example Operations

FIG. 10 is a flow chart illustrating an example embodiment. The process illustrated by FIG. 10 may be carried out by a computing device, such as computing device 100, and/or a cluster of computing devices, such as server cluster 200. However, the process can be carried out by other types of devices or device subsystems. For example, the process could be carried out by a portable computer, such as a laptop or a tablet device.

The embodiments of FIG. 10 may be simplified by the removal of any one or more of the features shown therein. Further, these embodiments may be combined with features, aspects, and/or implementations of any of the previous figures or otherwise described herein.

Block 1000 may involve requesting and receiving, from one or more worker nodes and by a computing device disposed within a remote network management platform that manages a managed network, configuration data identifying containerized software applications executing on the one or more worker nodes on behalf of the managed network. The managed network may obtain service from a computing cluster that includes the one or more worker nodes.

Block 1002 may involve accessing, by the computing device, traffic data generated by packet detection modules disposed amongst the one or more worker nodes. The packet detection modules may be configured to (i) monitor network traffic between the containerized software applications and (ii) generate and store the traffic data. The traffic data may be indicative of the monitored network traffic.

Block 1004 may involve parsing, by the computing device, the traffic data for one or more patterns indicative of communicative relationships between the containerized software applications identified by the configuration data.

Block 1006 may involve, based on the one or more patterns being present in the traffic data, generating, by the computing device, mappings between the containerized software applications that have communicative relationships therebetween.

Block 1008 may involve storing, in a database disposed within the remote network management platform and by the computing device, the configuration data and the mappings.

In some embodiments, the one or more worker nodes may be configured to execute the containerized software applications in pods. Each pod may be configured to execute therein one or more of the containerized software applications. A master node may be configured to manage distribution of the pods across the one or more worker nodes by receiving an indication of a desired number of pods for each containerized software application of the containerized software applications. The master node may also be configured to manage distribution of the pods across the one or more worker nodes by providing instructions to the one or more worker nodes to initiate execution of the desired number of pods for each containerized software application across the one or more worker nodes. The master node may additionally be configured to manage distribution of the pods across the one or more worker nodes by determining that one or more pods of the desired number of pods have terminated and by providing instructions to the one or more worker nodes to replace the one or more pods that have terminated with one or more replacement pods to maintain the desired number of pods for each containerized software application. The configuration data identifying the containerized software applications may indicate the one or more pods that have terminated and the one or more replacement pods. The traffic data may indicate monitored network traffic related to the one or more pods that have terminated and the one or more replacement pods.

In some embodiments, a definition of a graph that represents the containerized software applications as nodes and the communicative relationships therebetween as links may be generated. The definition of the graph may be stored in the database.

In some embodiments, a representation of a graphical user interface that displays the graph in accordance with the stored definition may be provided to a client device associated with the managed network.

In some embodiments, the monitored network traffic further includes network traffic between the containerized software applications and one or more computing devices external to the computing cluster.

In some embodiments, the packet detection modules are configured to generate and store the traffic data indicative of the monitored network traffic by identifying, within the monitored network traffic, Transmission Control Protocol (TCP) SYN packets exchanged between the containerized software applications. A TCP SYN packet indicates initiation of a new network connection. The packet detection modules are also configured to generate and store the traffic data indicative of the monitored network traffic by storing traffic data indicative of the TCP SYN packets exchanged between the containerized software applications.

In some embodiments, (i) the requesting and receiving of configuration data and (ii) the accessing of the traffic data may be periodically repeated to monitor a distribution of the containerized software applications across the one or more worker nodes over time.

In some embodiments, the configuration data and the mappings corresponding thereto may be timestamped. Storing the configuration data and the mappings may involve storing a timestamp associated with the configuration data and the mappings corresponding thereto to represent the distribution of the containerized software applications across the one or more worker nodes over time.

In some embodiments, parsing the traffic data for the one or more patterns may involve determining that a first containerized software application identified by the configuration data transmitted one or more packets of a given type to a second containerized software application identified by the configuration data.

In some embodiments, the first containerized software application may be executed by a first worker node of the one or more worker nodes and the second containerized software application may be executed by a second worker node of the one or more worker nodes. The first worker node may different from the second worker node.

In some embodiments, the first containerized software application and the second containerized software application may each be executed by a first worker node of the one or more worker nodes.

In some embodiments, the computing cluster may be disposed within one or more of (i) the remote network management platform, (ii) the managed network, or (iii) a third-party computing system different from the remote network management platform and the managed network.

In some embodiments, the configuration data identifying the containerized software applications includes a group of one or more of (i) an indication of a pod in which a particular software application is being executed, (ii) an indication of a container within a pod in which the particular software application is being executed, (iii) an indication of processes executing within the container in which the particular software application is being executed, and (iv) a service with which the pod in which the particular software application is being executed is associated.

In some embodiments, a system may include means, disposed within a remote network management platform that manages a managed network, for requesting and receiving, from one or more worker nodes, configuration data identifying containerized software applications executing on the one or more worker nodes on behalf of the managed network. The managed network obtains service from a computing cluster that includes the one or more worker nodes. The system may also include means for accessing traffic data generated by packet detection modules disposed amongst the one or more worker nodes. The packet detection modules may be configured to (i) monitor network traffic between the containerized software applications and (ii) generate and store the traffic data. The traffic data may be indicative of the monitored network traffic. The system may additionally include means for parsing the traffic data for one or more patterns indicative of communicative relationships between the containerized software applications identified by the configuration data. The system may further include means for, based on the one or more patterns being present in the traffic data, generating mappings between the containerized software applications that have communicative relationships therebetween. The system may yet further include means for storing, in a database disposed within the remote network management platform, the configuration data and the mappings.

IX. Conclusion

The present disclosure is not to be limited in terms of the particular embodiments described in this application, which are intended as illustrations of various aspects. Many modifications and variations can be made without departing from its scope, as will be apparent to those skilled in the art. Functionally equivalent methods and apparatuses within the scope of the disclosure, in addition to those described herein, will be apparent to those skilled in the art from the foregoing descriptions. Such modifications and variations are intended to fall within the scope of the appended claims.

The above detailed description describes various features and operations of the disclosed systems, devices, and methods with reference to the accompanying figures. The example embodiments described herein and in the figures are not meant to be limiting. Other embodiments can be utilized, and other changes can be made, without departing from the scope of the subject matter presented herein. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations.

With respect to any or all of the message flow diagrams, scenarios, and flow charts in the figures and as discussed herein, each step, block, and/or communication can represent a processing of information and/or a transmission of information in accordance with example embodiments. Alternative embodiments are included within the scope of these example embodiments. In these alternative embodiments, for example, operations described as steps, blocks, transmissions, communications, requests, responses, and/or messages can be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved. Further, more or fewer blocks and/or operations can be used with any of the message flow diagrams, scenarios, and flow charts discussed herein, and these message flow diagrams, scenarios, and flow charts can be combined with one another, in part or in whole.

A step or block that represents a processing of information can correspond to circuitry that can be configured to perform the specific logical functions of a herein-described method or technique. Alternatively or additionally, a step or block that represents a processing of information can correspond to a module, a segment, or a portion of program code (including related data). The program code can include one or more instructions executable by a processor for implementing specific logical operations or actions in the method or technique. The program code and/or related data can be stored on any type of computer readable medium such as a storage device including RAM, a disk drive, a solid state drive, or another storage medium.

The computer readable medium can also include non-transitory computer readable media such as computer readable media that store data for short periods of time like register memory and processor cache. The computer readable media can further include non-transitory computer readable media that store program code and/or data for longer periods of time. Thus, the computer readable media may include secondary or persistent long term storage, like ROM, optical or magnetic disks, solid state drives, compact-disc read only memory (CD-ROM), for example. The computer readable media can also be any other volatile or non-volatile storage systems. A computer readable medium can be considered a computer readable storage medium, for example, or a tangible storage device.

Moreover, a step or block that represents one or more information transmissions can correspond to information transmissions between software and/or hardware modules in the same physical device. However, other information transmissions can be between software modules and/or hardware modules in different physical devices.

The particular arrangements shown in the figures should not be viewed as limiting. It should be understood that other embodiments can include more or less of each element shown in a given figure. Further, some of the illustrated elements can be combined or omitted. Yet further, an example embodiment can include elements that are not illustrated in the figures.

While various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purpose of illustration and are not intended to be limiting, with the true scope being indicated by the following claims. 

What is claimed is:
 1. A computing system comprising: a database disposed within a remote network management platform that manages a managed network, wherein the managed network obtains service from a computing cluster that includes a master node and a plurality of worker nodes configured to execute a plurality of containerized software applications in pods on behalf of the managed network, and wherein the master node is configured to manage distribution of the pods across the plurality of worker nodes; and a computing device disposed within the remote network management platform and configured to: request and receive, from packet detection modules disposed amongst the plurality of worker nodes, traffic data generated by the packet detection modules, wherein the packet detection modules are configured to (i) monitor network traffic between the plurality of containerized software applications and (ii) generate and store the traffic data, wherein the traffic data is indicative of the monitored network traffic; receive, from the master node, configuration data identifying the plurality of containerized software applications, wherein the configuration data includes a list of addresses assigned to the plurality of containerized software applications at a point in time, and wherein the configuration data identifies a first containerized software application and a second containerized software application in the plurality of containerized software applications; parse the traffic data for one or more patterns indicative of a communicative relationship between the first containerized software application and the second containerized software application at a particular time by: identifying, in the traffic data, a first address and a second address, wherein the first address and the second address correspond to addresses assigned to different containerized software applications of the plurality of containerized software applications; identifying, based on the traffic data, a timestamp corresponding to a communication between the first address and the second address; and determining, based on the configuration data, that the first address was assigned to the first containerized software application and the second address was assigned to the second containerized software application at a time indicated by the timestamp; generate, based on the one or more patterns being present in the traffic data, a mapping between the first containerized software application and the second containerized software application; and store the mapping in the database.
 2. The computing system of claim 1, wherein each pod is configured to execute therein one or more of the plurality of containerized software applications and wherein the master node is configured to manage distribution of the pods across the plurality of worker nodes by: receiving an indication of a desired number of pods for each containerized software application of the plurality of containerized software applications; providing instructions to the plurality of worker nodes to initiate execution of the desired number of pods for each containerized software application across the plurality of worker nodes; determining that one or more pods of the desired number of pods have terminated; and providing instructions to at least one of the plurality of worker nodes to replace the one or more pods that have terminated with one or more replacement pods to maintain the desired number of pods for each containerized software application, wherein the configuration data identifying the plurality of containerized software applications indicates the one or more pods that have terminated and the one or more replacement pods, and wherein the traffic data indicates monitored network traffic related to the one or more pods that have terminated and the one or more replacement pods.
 3. The computing system of claim 1, wherein the computing device is configured to: generate a definition of a graph that represents the plurality of containerized software applications as nodes and communicative relationships including the communicative relationship therebetween as links; and store, in the database, the definition of the graph.
 4. The computing system of claim 3, wherein the computing device is configured to: provide, to a client device associated with the managed network, a representation of a graphical user interface that displays the graph in accordance with the stored definition.
 5. The computing system of claim 1, wherein the monitored network traffic comprises network traffic between the plurality of containerized software applications and one or more computing devices external to the computing cluster.
 6. The computing system of claim 1, wherein the packet detection modules are configured to generate and store the traffic data indicative of the monitored network traffic by: identifying, within the monitored network traffic, Transmission Control Protocol (TCP) SYN packets exchanged between containerized software applications of the plurality of containerized software applications, wherein a TCP SYN packet indicates initiation of a new network connection; and storing traffic data indicative of the TCP SYN packets exchanged between the containerized software applications.
 7. The computing system of claim 1, wherein the computing device is configured to periodically repeat (i) the requesting and receiving of traffic data and (ii) the receiving of the configuration data to monitor a distribution of the plurality of containerized software applications across the plurality of worker nodes over time.
 8. The computing system of claim 7, wherein the configuration data and mappings including the mapping corresponding thereto are timestamped, and wherein the computing device is configured to store the configuration data and the mappings by: storing a timestamp associated with the configuration data and the mappings corresponding thereto to represent the distribution of the containerized software applications across the plurality of worker nodes over time.
 9. The computing system of claim 1, wherein the computing device is configured to parse the traffic data for the one or more patterns by: determining that the first containerized software application identified by the configuration data transmitted one or more packets of a given type to the second containerized software application identified by the configuration data.
 10. The computing system of claim 1, wherein the first containerized software application is executed by a first worker node of the plurality of worker nodes and the second containerized software application is executed by a second worker node of the plurality of worker nodes, and wherein the first worker node is different from the second worker node.
 11. The computing system of claim 1, wherein the first containerized software application and the second containerized software application are each executed by a first worker node of the plurality of worker nodes.
 12. The computing system of claim 1, wherein the computing cluster is disposed within one or more of (i) the remote network management platform, (ii) the managed network, or (iii) a third-party computing system different from the remote network management platform and the managed network.
 13. The computing system of claim 1, wherein the configuration data identifying the plurality of containerized software applications comprises a group of one or more of (i) an indication of a pod in which a particular software application is being executed, (ii) an indication of a container within a pod in which the particular software application is being executed, (iii) an indication of processes executing within the container in which the particular software application is being executed, and (iv) a service with which the pod in which the particular software application is being executed is associated.
 14. A method comprising: requesting and receiving, from packet detection modules disposed amongst a plurality of worker nodes configured to execute a plurality of containerized software applications in pods on behalf of a managed network managed by a remote network management platform and by a computing device disposed within the remote network management platform, traffic data generated by the packet detection modules, wherein the managed network obtains service from a computing cluster that includes the plurality of worker nodes and a master node configured to manage distribution of the pods across the plurality of worker nodes, and wherein the packet detection modules are configured to (i) monitor network traffic between the plurality of containerized software applications and (ii) generate and store the traffic data, wherein the traffic data is indicative of the monitored network traffic; receiving, by the computing device and from the master node, configuration data identifying the plurality of containerized software applications executing on the plurality of worker nodes, wherein the configuration data includes a list of addresses assigned to the plurality of containerized software applications, and wherein the configuration data identifies a first containerized software application and a second containerized software application in the plurality of containerized software applications at a point in time; parsing, by the computing device, the traffic data for one or more patterns indicative of a communicative relationship between the first containerized software application and the second containerized software application at a particular time by: identifying a first address and a second address in the traffic data, wherein the first address and the second address correspond to addresses assigned to different containerized software applications of the plurality of containerized software applications; identifying, based on the traffic data, a timestamp corresponding to a communication between the first address and the second address; and determining, based on the configuration data, that the first address was assigned to the first containerized software application and the second address was assigned to the second containerized software application at a time indicated by the timestamp; based on the one or more patterns being present in the traffic data, generating, by the computing device, a mapping between the first containerized software application and the second containerized software application; and storing, by the computing device, the mapping in a database disposed within the remote network management.
 15. The method of claim 14, comprising: generating a definition of a graph that represents the plurality of containerized software applications as nodes and communicative relationships including the communicative relationship therebetween as links; and storing, in the database, the definition of the graph.
 16. The method of claim 15, comprising: providing, to a client device associated with the managed network, a representation of a graphical user interface that displays the graph in accordance with the stored definition.
 17. The method of claim 14, wherein the packet detection modules are configured to generate and store the traffic data indicative of the monitored network traffic by: identifying, within the monitored network traffic, Transmission Control Protocol (TCP) SYN packets exchanged between containerized software applications of the plurality of containerized software applications, wherein a TCP SYN packet indicates initiation of a new network connection; and storing traffic data indicative of the TCP SYN packets exchanged between the containerized software applications.
 18. The method of claim 14, comprising: periodically repeating (i) the requesting and receiving of traffic data and (ii) the receiving of the configuration data to monitor a distribution of the plurality of containerized software applications across the plurality of worker nodes over time.
 19. The method of claim 18, wherein the configuration data and mappings including the mapping corresponding thereto are timestamped, and wherein storing the configuration data and the mappings comprises: storing a timestamp associated with the configuration data and the mappings corresponding thereto to represent the distribution of the containerized software applications across the plurality of worker nodes over time.
 20. An article of manufacture including a non-transitory computer-readable medium, having stored thereon program instructions that, upon execution by a computing system, cause the computing system to perform operations comprising: requesting and receiving, from packet detection modules disposed amongst a plurality of worker nodes configured to execute a plurality of containerized software applications in pods on behalf of a managed network managed by a remote network management platform, traffic data generated by the packet detection modules, wherein the managed network obtains service from a computing cluster that includes the plurality of worker nodes and a master node configured to manage distribution of the pods across the plurality of worker nodes, wherein the computing system is disposed within the remote network management platform, and wherein the packet detection modules are configured to (i) monitor network traffic between the plurality of containerized software applications and (ii) generate and store the traffic data, wherein the traffic data is indicative of the monitored network traffic; receiving, from the master node, configuration data identifying the plurality of containerized software applications executing on the plurality of worker nodes, wherein the configuration data includes a list of addresses assigned to the plurality of containerized software applications at a point in time, and wherein the configuration data identifies a first containerized software application and a second containerized software application in the plurality of containerized software applications; parsing the traffic data for one or more patterns indicative of a communicative relationship between the first containerized software application and the second containerized application at a particular time by: identifying a first address and a second address in the traffic data, wherein the first address and the second address correspond to addresses assigned to different containerized software applications of the plurality of containerized software applications; identifying, based on the traffic data, a timestamp corresponding to a communication between the first address and the second address; and determining, based on the configuration data, that the first address was assigned to the first containerized software application and the second address was assigned to the second containerized software application at a time indicated by the timestamp; based on the one or more patterns being present in the traffic data, generating a mapping between the first containerized software application and the second containerized software; and storing the mapping in a database disposed within the remote network management platform. 